b"September 2006\nReport No. 06-024\n\n\nDivision of Supervision and Consumer\nProtection\xe2\x80\x99s Supervisory Actions Taken\nfor Compliance Violations\n\x0c                                                                                                          Report No. 06-024\n                                                                                                           September 2006\n\n                                  Division of Supervision and Consumer Protection\xe2\x80\x99s\n                                  Supervisory Actions Taken for Compliance Violations\n                                  Results of Audit\n\nBackground and                    DSC identified and reported 9,534 significant compliance violations during 2005. Of the\n                                  1,945 financial institutions examined in 2005, 1,607 (83 percent) had been cited with\nPurpose of Audit                  compliance violations deemed significant by the FDIC. Also, 837 (43 percent) of the\n                                  1,945 financial institutions examined had repeat, significant violations, of which\nThe FDIC has supervisory          708 (85 percent) institutions were rated \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2.\xe2\x80\x9d\nresponsibilities for ensuring\nthat the financial institutions   According to DSC officials, of the institutions examined in 2005, 96 percent were rated\nit supervises comply with fair    \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2,\xe2\x80\x9d indicating a strong or generally strong compliance position, while 4 percent\nlending, privacy, and various     were rated \xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5,\xe2\x80\x9d indicating various levels of concern. DSC officials stated that\n                                  the FDIC\xe2\x80\x99s supervisory approach is to increase the level of attention as an institution\xe2\x80\x99s\nother consumer protection\n                                  compliance position worsens, and during 2005, DSC downgraded 297 institutions\xe2\x80\x99\nlaws and regulations. The         compliance ratings, issued 72 informal and 36 formal enforcement actions for compliance,\nFDIC uses its compliance          and made 43 compliance referrals to the Department of Justice or other authorities.\nexamination process to\nascertain the effectiveness of    However, DSC had not adequately ensured that the financial institutions in our sample\nan institution\xe2\x80\x99s program for      had taken appropriate corrective actions for repeat, significant violations that had been\ncomplying with consumer           cited during examinations. In many cases, consistent with the flexibility allowed by DSC\nprotection laws and               guidance for \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d rated institutions, DSC waited until the next examination to\nregulations. The compliance       follow up on repeat, significant compliance violations that had been identified in multiple\nexamination and follow-up         examinations before taking supervisory action. Specifically, we found that:\nsupervisory attention to\n                                      \xe2\x80\xa2    of the 51 reports of examination (ROE) we reviewed for 14 sampled institutions,\nviolations and other\n                                           DSC had cited 431 significant violations related to 8 consumer protection laws\ndeficiencies help to ensure                and regulations;\nthat consumers and                    \xe2\x80\xa2    47 of the 51 ROEs reviewed identified significant compliance violations;\nbusinesses obtain the benefits        \xe2\x80\xa2    5 of the 47 ROEs resulted in informal supervisory actions and prompted follow-\nand protection afforded them               up activities, and 1 visitation for a new FDIC-supervised institution also\nby law.                                    prompted follow-up activities, but DSC did not follow up on the remaining 41\n                                           ROEs until the next examination;\nThe objective of our audit            \xe2\x80\xa2    11 of the 14 sampled institutions had repeat, significant violations; and\nwas to determine whether the          \xe2\x80\xa2    all 14 sampled institutions had deficiencies and weaknesses noted in their\nFDIC\xe2\x80\x99s Division of                         compliance management system (CMS) in at least 1 ROE. Also, DSC had\nSupervision and Consumer                   identified serious deficiencies and weaknesses in some of the institutions\xe2\x80\x99 CMSs\nProtection (DSC) adequately                that remained uncorrected for extended periods.\naddresses the violations and\n                                  As a result of repeat, significant violations, consumers and businesses of the affected\ndeficiencies reported in          institutions may not obtain the benefits and protection afforded them by consumer\ncompliance examinations to        protection laws and regulations. We also identified certain other matters for DSC\xe2\x80\x99s\nensure that FDIC-supervised       attention relating to (1) performance goals associated with supervisory actions taken for\ninstitutions take appropriate     compliance violations and (2) consideration of an institution\xe2\x80\x99s training program in\ncorrective action.                compliance ratings.\n\n                                  Recommendations and Management Response\n                                  The report makes three recommendations for DSC to strengthen its monitoring and\n                                  follow-up processes by revising guidance on follow-up, considering supervisory action\n                                  when an institution\xe2\x80\x99s corrective action is not timely or when significant violations recur,\n                                  and revising its performance goal. DSC\xe2\x80\x99s management will reevaluate applicable\n                                  guidance; analyze the prevalence and scope of repeatedly cited, significant violations\nTo view the full report, go to\n                                  over the next year; and make enhancements or clarifications as necessary. Management\xe2\x80\x99s\nwww.fdicig.gov/2006reports.asp\n                                  planned actions are responsive to the recommendations.\n\x0c                             TABLE OF CONTENTS\n\n\nBACKGROUND                                                             1\n\nRESULTS OF AUDIT                                                       3\n\nFOLLOW-UP FOR COMPLIANCE VIOLATIONS                                    4\n  DSC Compliance Examination Guidance                                  4\n  Follow-up on Identified Violations                                   5\n  Repeat, Significant Violations                                       6\n  Supervisory Actions                                                  6\n  Compliance Management System                                         7\n  Examples of Repeat, Significant Violations; CMS Deficiencies; and\n   Supervisory Actions                                                 8\n  Conclusion                                                          10\n  Recommendations                                                     10\n\nOTHER MATTERS                                                         11\n DSC\xe2\x80\x99s 2005 Performance Goals                                         11\n Recommendation                                                       11\n Ratings Consideration of Institution Compliance Training             11\n\nCORPORATION COMMENTS AND OIG EVALUATION                               13\n\nAPPENDIX I:       OBJECTIVE, SCOPE, AND METHODOLOGY                   15\nAPPENDIX II:      CONSUMER COMPLIANCE RATING SYSTEM                   18\nAPPENDIX III:     SIGNIFICANT AND CONSECUTIVE\n                  SIGNIFICANT VIOLATIONS CITED FROM\n                  JANUARY 1, 2005 TO DECEMBER 31, 2005                20\nAPPENDIX IV:      CONSUMER PROTECTION LAWS                            21\nAPPENDIX V:       CORPORATION COMMENTS                                23\nAPPENDIX VI:      MANAGEMENT RESPONSE TO\n                  RECOMMENDATIONS                                     26\n\nTABLES\nTable 1: Total Significant Violations for the Sampled Institutions     5\nTable 2: Supervisory Actions Taken for Significant Violations          6\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                              Office of Inspector General\n\n\nDATE:                                     September 29, 2006\n\nMEMORANDUM TO:                            Sandra L. Thompson, Acting Director\n                                          Division of Supervision and Consumer Protection\n\n\nFROM:                                     Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                          Assistant Inspector General for Audits\n\n\nSUBJECT:                                  Division of Supervision and Consumer Protection\xe2\x80\x99s\n                                          Supervisory Actions Taken for Compliance Violations\n                                          (Report No. 06-024)\n\n\nThis report presents the results of our audit of the FDIC Division of Supervision and\nConsumer Protection\xe2\x80\x99s (DSC) supervisory actions taken for compliance violations of\nconsumer protection laws and regulations. The overall audit objective was to determine\nwhether DSC adequately addresses the violations and program deficiencies reported in\ncompliance examinations to ensure that FDIC-supervised institutions take appropriate\ncorrective action. Over 20 consumer protection laws and related regulations are\naddressed by FDIC compliance examinations. For purposes of this audit, we focused on\ncompliance violations related to eight specific areas.1 Appendix I of this report discusses\nour objective, scope, and methodology in detail.\n\n\nBACKGROUND\n\nThe FDIC has supervisory responsibilities for ensuring that the financial institutions it\nsupervises comply with fair lending, privacy, and various other consumer protection laws\nand regulations. The compliance examination is the primary means by which the FDIC\ndetermines the extent to which a financial institution is complying with these\nrequirements. The FDIC also conducts visitations and investigations. Visitations are\nused to review the compliance posture of newly chartered institutions coming under\nFDIC supervision or to follow up on an institution\xe2\x80\x99s progress on corrective actions.\nInvestigations are used to follow up on a particular consumer\xe2\x80\x99s inquiries or complaints.\n\nThe compliance examination and follow-up supervisory attention accorded to violations\nand other program deficiencies2 helps to ensure that consumers and businesses obtain the\n\n1\n  We focused on violations of the following statutes: Electronic Fund Transfer Act (EFTA); Equal Credit\nOpportunity Act (ECOA) and Fair Housing Act (FHA); National Flood Insurance Act (Flood Insurance);\nHome Mortgage Disclosure Act (HMDA); Gramm-Leach-Bliley Act (Privacy); Real Estate Settlement\nProcedures Act (RESPA); Truth in Lending Act (TILA); and Truth in Savings Act (TISA).\n2\n  For purposes of this report, program deficiencies are weaknesses in an institution\xe2\x80\x99s compliance\n\x0cbenefits and protections afforded them by law. In addition, violations of some of the\nlaws and regulations give rise to possible civil liability for damages and, in TILA cases,\nadministrative adjustments for understated finance charges or annual percentage rates\n(APR) on loans. For example, TILA requires institutions to reimburse customers when\ndisclosure errors are identified involving an inaccurate APR or finance charge and that\nerror has resulted in \xe2\x80\x9cgross negligence\xe2\x80\x9d or a \xe2\x80\x9cclear and consistent pattern or practice of\nviolations.\xe2\x80\x9d These violations, in certain cases, can also result in civil money penalties.\nEffective examinations and supervision should help to identify violations and preclude or\nminimize their recurrence, thereby reducing the potential for penalties or reimbursements.\n\nThe presence of violations and the absence of an effective compliance management\nsystem (CMS)3 to manage a financial institution\xe2\x80\x99s compliance responsibilities also reflect\nadversely on the institution\xe2\x80\x99s senior bank management and board of directors and may\ncarry over into other areas of management responsibility. Additionally, DSC considers\ncompliance with fair lending, privacy, and other consumer protection requirements when\nreviewing an application for entry into or expansion within the insured depository\ninstitution system.\n\nDSC examiners follow the revised Compliance Examination Procedures (Transmittal No.\n2005-035, dated August 18, 2005) in examining institutions for compliance with\nconsumer protection laws and regulations. The FDIC\xe2\x80\x99s compliance examinations blend\nrisk-focused and process-oriented approaches. Risk focusing involves using information\ngathered about a financial institution to direct FDIC examiner resources to those\noperational areas that present the greatest compliance risks. The compliance examination\nprocedures state that \xe2\x80\x9ca financial institution must develop and maintain a sound CMS that\nis integrated into the overall management strategy of the institution.\xe2\x80\x9d Concentrating on\nthe institution\xe2\x80\x99s internal control infrastructure and methods, or the \xe2\x80\x9cprocess,\xe2\x80\x9d used to\nensure compliance with federal consumer protection laws and regulations acknowledges\nthat the ultimate responsibility for compliance rests with the institution and encourages\nexamination efficiency.\n\nCompliance examinations are conducted every 12-36 months, depending on an\ninstitution\xe2\x80\x99s size and the compliance and Community Reinvestment Act (CRA) ratings\nassigned at the most recent examination. The FDIC follows the Uniform Interagency\nConsumer Compliance Rating System approved by the Federal Financial Institutions\nExamination Council (FFIEC) in 1980. Appendix II discusses the rating system and\ndescribes how consumer compliance ratings are defined and distinguished.\n\n\n\n\nmanagement system as discussed in footnote 3.\n3\n  A financial institution uses its CMS to identify, monitor, and manage its compliance responsibilities and\nrisks. A CMS includes: (1) management and director oversight; (2) a compliance program (policies and\nprocedures, training, monitoring, and complaint process); and (3) audit procedures applied by the\ninstitution\xe2\x80\x99s internal or external compliance review function. During each examination, the institutions are\nassessed by the examiners as strong, adequate, or weak in these areas.\n\n\n                                                     2\n\x0cRESULTS OF AUDIT\n\nDSC identified and reported 9,534 significant4 compliance violations during 2005.5 Of\nthe 1,945 financial institutions examined in 2005, 1,607 (83 percent) institutions had been\ncited with compliance violations deemed significant by the FDIC. Also, 837 (43 percent)\nof the 1,945 financial institutions examined had repeat,6 significant violations, of which\n708 (85 percent) institutions were rated \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2.\xe2\x80\x9d\n\nAccording to DSC officials, of the institutions examined in 2005, 96 percent were rated\n\xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2,\xe2\x80\x9d indicating a strong or generally strong compliance position, while 4 percent\nwere rated \xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5,\xe2\x80\x9d indicating various levels of concern. DSC officials stated that\nthe FDIC\xe2\x80\x99s supervisory approach is to increase the level of attention as an institution\xe2\x80\x99s\ncompliance position worsens, and during 2005, DSC downgraded 297 institutions\xe2\x80\x99\ncompliance ratings, issued 72 informal and 36 informal enforcement actions for\ncompliance, and made 43 compliance referrals to the Department of Justice or other\nauthorities.\n\nHowever, DSC had not adequately ensured that the financial institutions in our sample\nhad taken appropriate corrective actions for repeat, significant violations that had been\ncited during examinations. In many cases, consistent with the flexibility allowed by DSC\nguidance for \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d rated institutions, DSC waited until the next examination to\nfollow up on repeat, significant compliance violations that had been identified in multiple\nexaminations before taking supervisory action. Specifically, we found that:\n\n\xe2\x80\xa2   of the 51 reports of examination (ROE) we reviewed for 14 sampled institutions, DSC\n    cited 431 significant violations related to 8 consumer protection laws and regulations;\n\xe2\x80\xa2   47 of the 51 ROEs reviewed identified significant compliance violations;\n\xe2\x80\xa2   5 of the 47 ROEs resulted in informal supervisory actions7 and prompted follow-up\n    activities, and 1 visitation for a new FDIC-supervised institution also prompted\n    follow-up activities, but DSC did not follow up on the remaining 41 reports until the\n    next examination;\n\xe2\x80\xa2   11 of the 14 sampled institutions had repeat, significant violations; and\n\xe2\x80\xa2   all 14 sampled institutions had deficiencies and weaknesses noted in their CMS in at\n    least 1 ROE. Also, DSC had identified serious deficiencies and weaknesses in some\n    of the institutions\xe2\x80\x99 CMSs that remained uncorrected for extended periods.\n4\n  The ROEs define significant violations as being of supervisory concern due to their serious nature,\nrecurrent pattern, or system-wide impact. Individually or collectively, these violations reflect deficiencies\nrequiring prompt corrective action by the financial institution. The criteria for what constitutes a\nsignificant violation is discussed on the next page.\n5\n  We are using data we obtained from DSC\xe2\x80\x99s System of Uniform Reporting of Compliance and CRA\nExamination (SOURCE) as of January 2006.\n6\n  For purposes of this report, repeat violations represent repeat citations of the same violation codes in\nconsecutive examinations and are reported in SOURCE as consecutive significant violations. Appendix III\nprovides additional information reported in SOURCE from January 1, 2005, to December 31, 2005.\n7\n  When compliance violations and deficiencies are detected, examiners must determine the severity along\nwith the timing and form of needed corrective actions. The FDIC uses a number of tools to address\nsupervisory concerns, ranging from informal advice and written criticisms, to ratings downgrades and\ninformal supervisory actions, to formal actions that are legally enforceable. Informal supervisory actions\nare voluntary commitments made by an insured institution\xe2\x80\x99s board of directors and are not legally\nenforceable.\n\n\n                                                      3\n\x0cAs a result of these repeat, significant violations, consumers and businesses of the\naffected institutions may not obtain the benefits afforded them by consumer protection\nlaws and regulations.\n\nWe also identified certain other matters that warrant management attention relating to\n(1) performance goals associated with supervisory actions taken for compliance\nviolations and (2) consideration of an institution\xe2\x80\x99s training program in compliance\nratings.\n\n\nFOLLOW-UP FOR COMPLIANCE VIOLATIONS\n\nDSC often identified and reported significant compliance violations and program\ndeficiencies in multiple examinations over a period of years before taking supervisory\naction to address repeat violations. DSC\xe2\x80\x99s guidance does not require follow-up between\nexaminations or enforcement actions for institutions that repeatedly violate consumer\nprotection laws and regulations in a manner cited as significant by FDIC examiners.\nInstead, DSC\xe2\x80\x99s guidance gives staff the flexibility to wait until the next examination to\nfollow up on significant violations, unless the institution is rated a \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5.\xe2\x80\x9d As a\nresult, consumers and businesses of the affected institutions may not obtain the benefits\nand protection afforded them by these laws and regulations.\n\nDSC Compliance Examination Guidance\n\nDSC\xe2\x80\x99s revised Compliance Examination Procedures state that compliance examinations\nare the primary means the FDIC uses to determine whether a financial institution is\nmeeting its responsibility to comply with the requirements and proscriptions of federal\nconsumer protection laws and regulations.\n\nThe Compliance Examination Procedures do not require follow-up between\nexaminations on significant compliance violations. Significant violations include those\nviolations that meet any of the following criteria:\n\n (1) recurrent and outstanding for an extended period of time;\n (2) affect, or could affect, a large number of transactions or consumers in a way that\n     has, or could have, severe consequences for the consumers or the financial\n     institution;\n (3) continuation of a violation cited at the previous examination and is repeated in\n     exactly the same manner at the current examination; or\n (4) willful act or omission to defeat the purpose of, or circumvent, law or regulation.\n\nThe Compliance Examination Procedures state that recommendations by the examiner-\nin-charge (EIC) for corrective actions that address the specific deficiencies noted in the\nnarrative of the ROE should be appropriate in light of the size and complexity of the\ninstitution\xe2\x80\x99s operations. The recommendations should enable the institution to resolve\ncurrent CMS deficiencies and regulatory violations and to minimize future violations by\nmaking improvement to its CMS. Ultimately, the board of directors and management of\n\n\n                                             4\n\x0cthe institution are responsible for determining the actions they will take to address the\nexamination findings. The EIC should consider identifying by name those individuals\nwho commit to specific corrective actions, in order to assist in follow-up at future\nexaminations.\n\nFollow-up on Identified Violations\n\nFor 41 (80 percent) of the 51 ROEs in our sample, DSC did not follow up until the next\nexamination, usually 2 or 3 years later, to determine whether the institution had corrected\nits significant violations. Of the remaining 10 ROEs, 5 ROEs resulted in informal\nsupervisory action, such as bank board resolutions (BBR)8 and memoranda of\nunderstanding (MOU)9 requiring banks to provide DSC with memoranda or progress\nreports documenting corrective actions; 2 ROEs were visitations;10 and 3 ROEs contained\nno significant violations.\n\nAs shown in Table 1 below, of the 431 significant violations we reviewed,\n111 (26 percent) violations were TILA violations and 103 (24 percent) violations were\nfor RESPA violations. Both of these statutes are intended to provide consumers with\ncertain rights dealing with credit and real estate transactions. TILA requires that\ninstitutions disclose their terms and cost to consumers who receive credit. The statute\nalso gives consumers the right to rescind certain credit transactions that involve a lien on\na consumer\xe2\x80\x99s principal dwelling, regulates certain credit card practices, and provides a\nmeans for fair and timely resolution of credit billing disputes. RESPA requires that\ninstitutions provide consumers with pertinent and timely disclosures regarding real estate\nsettlement costs. Further, RESPA is intended to protect consumers against certain\nabusive practices, such as kickbacks, and places limitations on the use of escrow\naccounts.\n\nTable 1: Total Significant Violations for the Sampled Institutions\n                       Chicago Regional      Kansas City Regional\n       Consumer                                                        Boston Area Office\n                             Office                 Office                                       Total\n     Protection Laws                                                     (4 Institutions)\n                        (4 Institutions)       (6 Institutions)\n    EFTA                       6                         12                    13                31\n    ECOA/FHA                   14                        34                     13               61\n    Flood Insurance            9                         21                     14               44\n    HMDA                        7                        17                      9                33\n    Privacy                    0                          2                     1                  3\n    RESPA                      24                        41                     38               103\n    TILA                      37                         68                     6                111\n    TISA                       7                         25                     13               45\n           Total              104                        220                   107               431\nSource: OIG analysis of ROEs for the 14 sampled institutions.\n\n\n8\n  A BBR is an informal commitment adopted by a financial institution\xe2\x80\x99s board of directors (often at the\nrequest of the FDIC), directing the institution\xe2\x80\x99s personnel to take corrective action for specific noted\ndeficiencies. BBRs may also be used to strengthen and monitor the institution\xe2\x80\x99s progress with regard to a\nparticular component rating or activity.\n9\n  An MOU is an informal agreement between an institution and the FDIC that is signed by both parties.\n10\n   One visitation occurred between compliance examinations to review the institution\xe2\x80\x99s progress on\ncorrecting significant violations. The other visitation was DSC\xe2\x80\x99s first visit to a new FDIC-supervised bank;\nDSC performed the first compliance examination at the bank within a year of the visitation.\n\n\n                                                     5\n\x0cRepeat, Significant Violations\n\nOf the 14 institutions we selected for review, 11 (79 percent) had repeat, significant\nviolations. Seven institutions violated the same consumer protection laws and regulations\nduring three or more consecutive examination cycles. No informal actions were taken for\n6 of the 11 institutions. The remaining five institutions were subject to informal\nsupervisory actions. Further, three of the five institutions were again cited with repeat,\nsignificant violations when the informal actions were terminated by DSC management.11\nConsequently, the supervisory actions were not always effective in ensuring that these\ninstitutions were in compliance with consumer protection laws and regulations.\nAccording to DSC, examiners consider the circumstances in determining whether a\nviolation is a repeat violation and indicative of a weakness in procedures or a failure to\ntake appropriate corrective action. Often, a violation code can be used in ROEs many\ntimes, but its use could be indicative of a number of distinct issues, problems, or causes.\nDSC violation codes were developed broadly, and DSC stated that a repeat violation at\none examination can result from a different set of circumstances than had been in place at\nthe prior examination. Repeat violations may also arise when regulatory requirements\nare changed or amended. For example, the bank may have corrected the previous issue,\nbut a regulatory change could result in a new infraction of the same code.\nHowever, the FDIC\xe2\x80\x99s Compliance Examination Procedures specifically state that\nviolations are significant if they had appeared in the Significant Violations section of the\nROE for the previous examination and are repeated in exactly the same manner at the\ncurrent examination. Isolated repeat violations are not categorized as significant in the\nexamination reports. Further, for our analysis of the repeat, significant violations\ninvolving 11 institutions, we relied on the examiners\xe2\x80\x99 description of the significant\nviolations as \xe2\x80\x9crepeat violations\xe2\x80\x9d in the Significant Violations sections of the ROEs.\n\nSupervisory Actions\n\nSupervisory actions taken by DSC did not always ensure that institutions had corrected\nrepeat, significant violations. Of the 14 institutions we reviewed, 5 institutions were\nsubject to informal supervisory actions once their rating had changed from a \xe2\x80\x9c2\xe2\x80\x9d to a \xe2\x80\x9c3.\xe2\x80\x9d\nTable 2 below provides a summary of the actions.\n\nTable 2: Supervisory Actions Taken for Significant Violations\n                                                     Follow-up             Year of      Repeat, Significant Violations\n                       Type of      Year of         Visitation by        Subsequent    Cited, and Action Terminated at\n       Institution     Action       Action              DSC              Examination       Subsequent Examination\n      Institution A     MOU          2003                 No                 2005                     Yes\n      Institution B      BBR          2004                No                 2005                     Yes\n                             a                               b\n    Institution C       BBR             2005                NA                 NA                     NA\n    Institution D       MOU             2003                Yes                2005                   Yes\n    Institution E       BBRa            2005                NA                 NA                     NA\na\n  These supervisory actions were still in effect as of the date of our review.\nb\n  NA designates not applicable.\n\n\n11\n     Supervisory actions for the other two institutions were still in effect as of the date of our review.\n\n\n                                                            6\n\x0cAs shown in Table 2, repeat, significant violations still had not been corrected at three of\nthe five institutions subject to informal supervisory actions when these actions had been\nterminated. Further, DSC concluded that the institutions had adequately complied with\nthe provisions of the actions, even though the examinations of the institutions continued\nto identify repeat violations. Pages 8-10 of this report discuss, in detail, examples of the\ninstitutions in our sample that had been subject to informal supervisory actions and cited\nwith repeat violations at the subsequent examination when the actions were terminated.\n\nDSC\xe2\x80\x99s revised Formal and Informal Action Procedures (FIAP) Manual, dated\nDecember 9, 2005, states that the FDIC generally initiates formal or informal corrective\naction against institutions with a composite safety and soundness or compliance rating of\n\xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4,\xe2\x80\x9d or \xe2\x80\x9c5,\xe2\x80\x9d unless specific circumstances warrant otherwise. Informal action is\ngenerally appropriate for institutions that receive a composite rating of \xe2\x80\x9c3\xe2\x80\x9d for safety and\nsoundness or compliance. This rating indicates that the institution has weaknesses that, if\nleft uncorrected, could cause the institution\xe2\x80\x99s condition to deteriorate. Formal action12 is\ngenerally initiated against an institution with a composite rating of \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d for safety\nand soundness or compliance if there is evidence of unsafe or unsound practices and/or\nconditions or concerns over a high volume or severity of violations at the institution. In\nmore serious situations, however, formal action could be considered even for institutions\nthat receive composite ratings of \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d for safety and soundness or compliance\nexaminations to address specific actions or inactions by the institution. The FIAP manual\nalso states that informal actions are particularly appropriate when the FDIC has\ncommunicated with bank management regarding deficiencies and has determined that the\ninstitution\xe2\x80\x99s managers and board of directors are committed to, and capable of, taking\ncorrective action with some direction but without initiation of a formal corrective action.\nHowever, informal actions are voluntary and not legally enforceable. As shown in\nTable 2 on the previous page, imposing informal actions does not necessarily result in the\ncorrection of repeat significant violations.\n\nCompliance Management System\n\nDSC did not adequately ensure that the financial institutions in our sample corrected\ncompliance program deficiencies. All 14 institutions we reviewed had deficiencies and\nweaknesses noted in at least 1 ROE. In addition, as discussed in the next section of our\nreport, DSC identified serious deficiencies and weaknesses in some of these financial\ninstitutions\xe2\x80\x99 CMSs that remained uncorrected for extended periods.\n\nTo determine whether an institution has an effective CMS, DSC evaluates three\ninterdependent elements, including (1) board management and oversight; (2) the\ninstitution\xe2\x80\x99s compliance program, including training and monitoring; and (3) a\ncompliance audit.13 According to the Compliance Examination Procedures, when all\nelements are strong and working together, an institution will be successful at managing\n\n12\n   Formal actions are notices or orders issued by the FDIC against insured financial institutions and/or\nindividual respondents. The purpose of formal actions is to correct noted safety and soundness\ndeficiencies, ensure compliance with federal and state banking laws, assess civil money penalties, and/or\npursue removal or prohibition proceedings. Formal actions are legally enforceable.\n13\n   A compliance audit is an independent review of an institution\xe2\x80\x99s compliance with consumer protection\nlaws and regulations conducted by the institution or its contractor.\n\n\n                                                     7\n\x0cits compliance responsibilities and risks now and in the future. Noncompliance of\nconsumer protection laws and regulations can result in monetary penalties, litigation, and\nformal enforcement actions. The responsibility for ensuring that an institution is in\ncompliance appropriately rests with the institution\xe2\x80\x99s board of directors and management.\n\nAlthough the Compliance Examination Procedures do not cite a regulation requiring\nFDIC-supervised institutions to have a CMS, the FDIC expects every FDIC-supervised\ninstitution to have an effective CMS adapted to its unique business strategy. In June\n2003, the FDIC issued guidance related to the Compliance Examination Procedures,\ninforming institutions that the Corporation had revised its approach to examining\ninstitutions for compliance with consumer protection laws and regulations.14 The new\napproach combined a risk-based examination process with an in-depth evaluation of an\ninstitution\xe2\x80\x99s CMS.\n\nExamples of Repeat, Significant Violations; CMS Deficiencies; and Supervisory\nActions\n\nThe following examples illustrate repeat, significant compliance violations; CMS\nprogram deficiencies; and cases in which DSC supervisory actions were not always\neffective in ensuring that institutions took timely and complete corrective action.\n\n     \xe2\x80\xa2   From 1997 to 2005, DSC cited 47 significant violations for Institution A, in our\n         sample, that included 13 (28 percent) repeat violations. During examinations\n         conducted in 1998, 2001, and 2003, Institution A was repeatedly cited for\n         RESPA, TILA, HMDA, and TISA violations. As a result, DSC downgraded the\n         institution\xe2\x80\x99s compliance rating from a \xe2\x80\x9c2\xe2\x80\x9d to a \xe2\x80\x9c3,\xe2\x80\x9d and imposed an MOU in 2003,\n         about 5 years after the initial citations. During the subsequent 2005 examination,\n         the institution was cited for the fourth consecutive time for the same RESPA\n         violation that had been cited in the 1998, 2001, and 2003 examinations and was\n         cited for the third consecutive time for the same TILA and HMDA violations that\n         had been identified in the 2001 and 2003 examinations. However, DSC\n         concluded in its 2005 ROE that the MOU had proven to be an effective tool for\n         correcting the deficiencies identified at previous examinations. As a result of the\n         improvements, DSC recommended that the MOU be terminated. In addition,\n         DSC reported continued program deficiencies, which included training, during\n         two consecutive examinations.\n\n     \xe2\x80\xa2   From 1997 to 2005, DSC cited 77 significant violations for Institution B, in our\n         sample, that included 17 (22 percent) repeat violations. During examinations\n         conducted in 1999, 2001, and 2003, Institution B was repeatedly cited for flood\n         insurance, RESPA and HMDA violations.15 As a result of the 2003 examination,\n         DSC downgraded the bank\xe2\x80\x99s compliance rating from a \xe2\x80\x9c2\xe2\x80\x9d to a \xe2\x80\x9c3.\xe2\x80\x9d The bank\n         adopted a BBR in 2004, about 5 years after the initial citations, requiring that\n\n14\n   Financial Institution Letter (FIL), Revised Compliance Examination Process, dated June 20, 2003 (FIL-\n52-2003). FILs are advisories to financial institutions regarding the latest policies and procedures, or new\nproducts available.\n15\n   In 2004, FDIC assessed civil money penalties against Institution B for violations of Part 339, the FDIC\xe2\x80\x99s\nflood insurance regulation, and the Federal Reserve Board\xe2\x80\x99s Regulation C, regarding HMDA.\n\n\n                                                     8\n\x0c         bank management correct all violations listed in the compliance report and initiate\n         appropriate procedures to prevent their recurrence. In its March 2005 ROE, DSC\n         states that Institution B had adequately addressed the requirements of the BBR,\n         even though DSC cited the bank for the fourth consecutive time for the same\n         HMDA violation that had been cited in the 1999, 2001, and 2003 examinations.\n         Further, DSC reported program deficiencies in five consecutive examinations,\n         citing weaknesses in the CMS program that included a lack of comprehensive\n         review procedures, training, and the bank\xe2\x80\x99s audit function.\n\n     \xe2\x80\xa2   From 1997 to 2005, DSC cited 44 significant violations for Institution F, in our\n         sample, that included 5 (11 percent) repeat violations. During examinations\n         conducted in 1998, 2000, and 2003, Institution F was repeatedly cited for RESPA\n         violations. In the 1998 examination, when the initial citation was made, the bank\n         promised future compliance. However, the same violation was cited at the\n         subsequent 2000 examination and again in the 2003 ROE. During the 2005\n         examination, Institution F was also cited for repeat TISA and ECOA significant\n         violations. Program deficiencies were also noted during two consecutive\n         examinations. DSC recommended that the institution adopt a written CMS\n         program and internal review procedures to prevent the recurrence of the\n         violations.\n\n     \xe2\x80\xa2   From 1997 to 2005, DSC cited 44 significant violations for Institution C, in our\n         sample, that included 7 (16 percent) repeat violations. During examinations\n         conducted in 1997, 2003,16 and 2005, Institution C was repeatedly cited for TILA\n         violations. In the 1997 ROE, when the initial citation was made, bank personnel\n         promised future compliance. However, the same violation was subsequently cited\n         for the third time in the 2005 ROE when DSC downgraded the bank\xe2\x80\x99s compliance\n         rating from a \xe2\x80\x9c2\xe2\x80\x9d to a \xe2\x80\x9c3\xe2\x80\x9d and the bank adopted a BBR. In addition, DSC\n         described the institution\xe2\x80\x99s CMS as lacking a compliance program and internal\n         monitoring procedures and having inadequate training and review procedures\n         identified by three consecutive examinations.\n\n     \xe2\x80\xa2   From 1997 to 2005, DSC cited 58 significant violations for Institution D, in our\n         sample, that included 6 (10 percent) repeat violations. During examinations\n         conducted in 1997, 1999, and 2002, Institution D was repeatedly cited for RESPA\n         and other significant violations. The total number of significant violations more\n         than doubled between the 1999 and 2002 examinations and were categorized by\n         DSC as \xe2\x80\x9cmore serious.\xe2\x80\x9d As a result, DSC downgraded the compliance rating for\n         Institution D from a \xe2\x80\x9c2\xe2\x80\x9d in 1999 to a \xe2\x80\x9c3\xe2\x80\x9d in 2002. The 2002 ROE stated that the\n         prior ROE informed the bank\xe2\x80\x99s board and management that the number of\n         violations had doubled and repeat violations had occurred because the written\n         compliance policy had not been implemented and effective program tools such as\n         monitoring, audit, and training had not been established or implemented. An\n         MOU was imposed on the institution in 2003, and DSC conducted a visitation\n         during 2004 to assess the bank\xe2\x80\x99s compliance with the MOU. In response, the\n         bank corrected a majority of the violations cited during the 2002 examination, but\n16\n  This institution did not have an examination between 1997 and 2003 because DSC had revised its\nexamination frequency schedule.\n\n\n                                                   9\n\x0c        some violations had not been corrected. For example, during the 2005\n        examination, the institution was cited for the third consecutive time for the same\n        flood insurance violation that had been cited in the 1999 and 2002 examinations.\n\nConclusion\n\nThe FDIC\xe2\x80\x99s Deputy to the Chairman and Chief Operating Officer has said publicly that\nthe FDIC\xe2\x80\x99s supervision and enforcement of consumer laws and regulations are part of\nensuring public confidence in the banking system. Without effective enforcement,\nconsumers and businesses may not obtain the benefits and protection afforded them by\nsuch laws and regulations. Consumer protection laws are intended to deter financial\ninstitutions from committing such acts as:\n\n    \xe2\x80\xa2   discrimination based on race, color, religion, national origin, sex, marital status,\n        and age in any aspect of a credit transaction, including residential real-estate-\n        related transactions, such as making loans to buy, build, repair, or improve a\n        dwelling;\n\n    \xe2\x80\xa2   failure to provide borrowers with pertinent and timely disclosures regarding the\n        nature and costs of the real estate settlement process; and\n\n    \xe2\x80\xa2   inaccurate and unfair credit billing, credit card, and leasing transactions.\n\nIn addition, violations of consumer laws and regulations can give rise to civil liability for\ndamages and, in TILA cases, administrative adjustments for understated finance charges\nor annual percentage rates.\n\nRecommendations\n\nWe recommend that the Director, DSC, strengthen guidance related to the monitoring and\nfollow-up processes for compliance violations by revising:\n\n   1. The Compliance Examination Procedures to require follow-up between\n      examinations on repeat, significant compliance violations and program\n      deficiencies.\n\n   2. The FIAP manual to require consideration of supervisory actions when any\n      institution\xe2\x80\x99s corrective action on repeat, significant violations is not timely or\n      when repeat, significant violations are a recurring examination finding.\n\n\n\n\n                                             10\n\x0cOTHER MATTERS\n\nDSC\xe2\x80\x99s 2005 Performance Goals\n\nDSC does not have a performance goal17 associated with the supervision of institutions\nrated \xe2\x80\x9c1,\xe2\x80\x9d \xe2\x80\x9c2,\xe2\x80\x9d and \xe2\x80\x9c3\xe2\x80\x9d that are cited with repeat, significant compliance violations.\nInstead, one of DSC\xe2\x80\x99s 2005 annual performance goals was to take prompt and effective\nsupervisory action to monitor and address problems identified during compliance\nexaminations of FDIC-supervised institutions that receive a \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d rating for\ncompliance with consumer protection and fair lending laws. However, of the 837\ninstitutions with repeat significant violations in 2005, 708 (85 percent) institutions were\nrated \xe2\x80\x9c1\xe2\x80\x9d and \xe2\x80\x9c2\xe2\x80\x9d and 126 (15 percent) institutions were rated \xe2\x80\x9c3.\xe2\x80\x9d Only three institutions\nwere rated \xe2\x80\x9c4,\xe2\x80\x9d and none were rated \xe2\x80\x9c5.\xe2\x80\x9d\n\nExaminers are instructed to document, for each violation and CMS program deficiency,\ncorrective actions taken by management during the examination and commitments for\nfuture corrective action. DSC does not require a response from bank management on\ncorrective actions unless the institution is rated a \xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4,\xe2\x80\x9d or \xe2\x80\x9c5.\xe2\x80\x9d According to DSC, a\n\xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d rating indicates that the institution has a CMS that is sufficient for correcting\nviolations and deficiencies in the normal course of business. However, examinations of\ninstitutions rated \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d are identifying numerous instances of repeat, significant\nviolations. As a result, the FDIC\xe2\x80\x99s performance goals did not address the majority of\nrepeat, significant violations.\n\nRecommendation\n\nWe recommend that the Director, DSC, revise:\n\n     3. DSC\xe2\x80\x99s performance goals to focus more broadly on institutions with repeat,\n        significant violations.\n\nRatings Consideration of Institution Compliance Training\n\nAs summarized in Appendix II of this report, each financial institution is assigned a\nconsumer compliance rating predicated upon an evaluation of the nature and extent of its\npresent compliance with consumer protection and civil rights statutes and regulations and\nthe adequacy of its operating systems designed to ensure compliance on a continuing\nbasis.\n\nThe FDIC\xe2\x80\x99s compliance ratings standards specifically state, \xe2\x80\x9cAn institution that is\nassigned a rating of \xe2\x80\x982\xe2\x80\x99 is in generally strong compliance. Management is capable of\nadministering an effective compliance program. Compliance training is satisfactory, and\nthere is no evidence of practices resulting in repeat violations.\xe2\x80\x9d\n\n\n\n17\n  According to the Government Performance and Results Act, a performance goal is, in general, a target\nlevel of performance against which actual achievement can be compared. Performance goals are to be\nincluded in agency annual performance plans, including those of the FDIC, as required by the Act.\n\n\n                                                   11\n\x0cWhile we are not questioning the assigned rating or the relative weighting given to the\ntraining component of the compliance program, we are nonetheless concerned about the\napparent inconsistency between the ROEs and the ratings\xe2\x80\x99 definitions. Specifically, we\nobserved that the narratives for 29 (81 percent) of the 36 ROEs for institutions in our\nsample assigned a \xe2\x80\x9c2\xe2\x80\x9d rating appeared inconsistent with the definition of a \xe2\x80\x9c2\xe2\x80\x9d rating. All\n29 of the ROEs identified the lack of training as the cause or a contributing factor for the\nsignificant violations identified in the ROEs. However, compliance ratings standards\nstate that training has to be satisfactory for a \xe2\x80\x9c2\xe2\x80\x9d rating. In addition, 11 of the 14\ninstitutions in our sample that were rated a \xe2\x80\x9c2\xe2\x80\x9d had repeat significant violations as\nidentified by DSC. The examples below illustrate that the ROE narratives for these 29\ninstitutions were not consistent with the definition of a \xe2\x80\x9c2\xe2\x80\x9d rating.\n\n     \xe2\x80\xa2   Institution G\xe2\x80\x99s 2005 ROE summary states, \xe2\x80\x9cThe bank\xe2\x80\x99s training program is\n         generally adequate; however, several of the violations noted in this report are\n         attributed to a lack of training. The lack of appropriate monitoring procedures\n         and training has resulted in 15 violations including reimbursable violations of\n         [TILA], repeat violations of Equal Credit Opportunity and Consumer Protection\n         in the Sales of Insurance, and violations of Home Mortgage Disclosure and\n         Flood Insurance, among others.\xe2\x80\x9d\n\n     \xe2\x80\xa2   Institution H\xe2\x80\x99s 1998 ROE summary states \xe2\x80\x9cThe compliance program\n         deficiencies include weak monitoring, poor audit coverage and response time, as\n         well as inefficient training.\xe2\x80\x9d DSC cited seven significant violations, including\n         RESPA, Flood Insurance, EFTA, and HMDA violations.\n\n     \xe2\x80\xa2   During its 1997 examination, Institution D was cited for 18 significant violations\n         that were attributed to management oversight and being unaware or\n         misunderstanding the specific compliance requirements. In 1999, DSC cited\n         Institution D for 19 violations, including a repeat RESPA violation. DSC\n         reported that \xe2\x80\x9cThe bank has a written, Board-approved compliance policy that\n         calls for the development of compliance procedures, staff training, and periodic\n         testing. However, the policy has not been implemented to any significant\n         degree.\xe2\x80\x9d DSC further reported that \xe2\x80\x9cbank management should take immediate\n         steps to reinforce the bank\xe2\x80\x99s compliance efforts through some form of systematic\n         training and the establishment of internal monitoring procedures.\xe2\x80\x9d In 2003, over\n         3 years later, DSC imposed an MOU on the bank, recommending that training be\n         improved. DSC conducted a visitation in 2004 and reported that the institution\n         had made good progress in improving its training system. The institution\xe2\x80\x99s\n         rating was upgraded to satisfactory in 2005, even though four significant\n         violations were cited, and one was a repeat violation cited in the previous two\n         examinations.\n\nWe are not making any recommendations on this observation. DSC officials told us that\nan FFIEC task force is reviewing the definitions of the compliance ratings for institutions.\nWe encourage DSC to share our observation with the task force for its consideration\nwhen revising the compliance rating definitions.\n\n\n\n\n                                            12\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 29, 2006, the Acting Director, DSC, provided a written response to a draft\nof this report. The DSC response is presented in its entirety in Appendix V. Overall,\nDSC agreed to take corrective actions that are responsive to the recommendations.\nAppendix VI contains a summary of management\xe2\x80\x99s response to the recommendations.\nThe recommendations are resolved but will remain open until we have determined that\nthe agreed-to actions have been completed and are effective.\n\nIn response to recommendations 1 and 3, DSC stated that it intends to analyze the\nprevalence and scope of repeatedly cited, significant violations to determine whether any\nchanges in DSC policies and/or performance goals are necessary. DSC will complete this\nanalysis and implement appropriate actions by September 30, 2007.\n\nIn response to recommendation 2, DSC stated that current FDIC guidance already\npermits DSC to consider taking supervisory action against highly rated banks. Further,\nDSC stated that the FIAP manual presents a clear statement of DSC policy as follows:\n\n       In more serious situations, however, formal action could be considered even for\n       institutions that receive composite ratings of \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d for safety and soundness\n       or compliance examinations to address specific actions or inactions by the\n       institution.\n\nNonetheless, DSC agreed to reevaluate current FDIC and FFIEC guidance to determine\nwhether enhancements or clarifications are needed. DSC will complete this process by\nSeptember 30, 2007. With regard to this recommendation, we encourage the FDIC to\nconsider the full range of supervisory actions available to address repeat, significant\ncompliance violations, not just formal actions as addressed in the FIAP manual.\n\nIn addition to specifically addressing the recommendations in our report, DSC\xe2\x80\x99s response\nincluded general comments regarding our findings. The response also discussed DSC\xe2\x80\x99s\ncommitment to consumer protection and its response to significant violations discovered\nduring compliance examinations.\n\nIn discussing its commitment to consumer protection, DSC stated that, during the 8-year\nperiod covered by our audit, DSC issued 1,075 formal and informal enforcement actions\nto ensure that institutions under FDIC supervision complied with consumer protection\nlaws and regulations. DSC also stated that, over the same period, it required banks to\nrefund over $10 million to 220,567 consumers as a result of TILA violations and to make\nover $5 million in reimbursement to consumers harmed by unfair and deceptive practices\nprohibited by the Federal Trade Commission Act.\n\nWith respect to violations discovered during compliance examinations, DSC pointed out\nthat, although our report focused on repeat, significant violations cited in examination\nreports, all but five of these reports were assigned either a \xe2\x80\x9c1\xe2\x80\x9d or a \xe2\x80\x9c2\xe2\x80\x9d compliance rating\nto the banks involved. DSC further stated that it believes that institutions with a \xe2\x80\x9c1\xe2\x80\x9d or\n\xe2\x80\x9c2\xe2\x80\x9d compliance rating have \xe2\x80\x9cstrong\xe2\x80\x9d or \xe2\x80\x9cgenerally strong\xe2\x80\x9d compliance programs and are\ncapable of addressing problems. At the next examination, consistent with FDIC\n\n\n                                             13\n\x0cexamination procedures, DSC follows up on institution efforts to correct violations. In\naddition, DSC believes that some violations represent less risk to consumers, which DSC\ntakes into consideration as part of the evaluation process to determine the need for follow\nup.\n\nWhile we take no exception to these comments, our view is that repeat, significant\nviolations should be considered more serious for purposes of supervisory action and\nfollow-up on corrective action by institutions. As noted in our report, our review of the\n14 institutions in our sample found that 11 (79 percent) institutions had repeat, significant\nviolations. As shown in our examples, the institutions repeatedly violated the same laws\nand regulations for several years before DSC took any supervisory action.\n\nWith respect to our report\xe2\x80\x99s observation on ratings, DSC stated that the FDIC strives\ndiligently to present examination findings in a consistent manner and validates the\nprocesses by secondary review and a strong internal control program. DSC also stated\nthat each rating is based on a qualitative analysis of the factors comprising that rating,\nwith some factors given more weight than others, depending on the situation. Finally, in\nits response to our report, DSC states that we say the ratings observation is outside the\nscope of our audit. In our report, we did not question the assigned rating or the relative\nweighting given to the training or other components of the compliance program or the\nprocess that resulted in those ratings. While these matters are within the scope of the\naudit, our intent was only to express concern about the possible inconsistency between\nthe assigned ratings and the ratings\xe2\x80\x99 definitions. We acknowledge that the FFIEC has a\ntask force reviewing the ratings definitions and hope that this information is useful in that\nregard.\n\n\n\n\n                                             14\n\x0c                                                                          APPENDIX I\n\n\n                   OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of this audit was to determine whether DSC adequately addresses the\nviolations and program deficiencies reported in compliance examinations to ensure that\nFDIC-supervised institutions take appropriate corrective action. For purposes of this\naudit, we made a distinction between corrective actions taken by bank management to\naddress compliance violations and actions taken by the FDIC to ensure compliance. The\nFDIC\xe2\x80\x99s actions include efforts to follow up with bank management after examinations,\nincluding correspondence, follow-up visitations or examinations, and the use of\nsupervisory action. Supervisory action includes informal supervisory actions (such as\nBBRs or MOUs) and formal enforcement actions (such as cease and desist orders) to\nprompt management action. We performed our audit from January 2006 through July\n2006 in accordance with generally accepted government auditing standards.\n\nScope and Methodology\n\nWe judgmentally selected for review 14 institutions with significant compliance\nviolations in 2004 or 2005 from 3 DSC regions. The 14 institutions had a total of 431\nsignificant violations for the period January 1, 1997 to December 31, 2005 and ranged in\nasset size from $34 million to $6.5 billion. We have provided the names of the\nreferenced institutions to DSC under separate cover. We analyzed DSC\xe2\x80\x99s process for\nidentifying, reporting, and referring compliance violations and program deficiencies for\nappropriate corrective actions, and we assessed the adequacy of DSC actions to follow up\nand evaluate corrective actions promised and/or taken by bank management.\n\nTo achieve the audit objective, we interviewed FDIC officials in:\n\n   \xe2\x80\xa2   DSC\xe2\x80\x99s headquarters in Washington, D.C., and the Kansas City and Chicago\n       Regional Offices responsible for conducting supervisory compliance\n       examinations.\n\nIn addition, we did the following:\n\n   \xe2\x80\xa2   Reviewed a prior OIG audit report, which is summarized in the Prior Coverage\n       section of this appendix.\n   \xe2\x80\xa2   Reviewed applicable FDIC rules and regulations, FDIC procedure manuals, DSC\n       Regional Directors Memoranda, FILs, and DSC Internal Review Reports related\n       to compliance examinations.\n   \xe2\x80\xa2   Reviewed other government agency Web sites for information on laws and\n       regulations pertaining to consumer rights and compliance violations.\n   \xe2\x80\xa2   Verified with DSC our selection of the following categories of consumer\n       protection laws and regulations:\n           1. EFTA\n           2. ECOA/FHA\n\n\n                                           15\n\x0c                                                                           APPENDIX I\n\n           3. Flood Insurance\n           4. HMDA\n           5. Privacy\n           6. RESPA\n           7. TILA\n           8. TISA\n   \xe2\x80\xa2   Reviewed the FDIC Strategic Plan for 2005-2010 for performance measures\n       related to consumer protection.\n   \xe2\x80\xa2   Consulted the Counsel to the Inspector General to assist in verifying applicable\n       criteria and researching potential legal issues.\n\nInternal Controls\n\nWe identified DSC\xe2\x80\x99s internal controls related to the risk-focused examination process for\ncompliance examinations, including the identification of and follow-up on significant\ncompliance violations and program deficiencies. We reviewed and assessed controls\nrelated to DSC follow-up on significant compliance violations and program deficiencies.\nOur review identified weaknesses in these areas as described in the findings section of\nour report. We did not assess the adequacy of controls over DSC\xe2\x80\x99s examination process\nor the compliance ratings assigned during the examination. We also did not determine\nwhether DSC should have taken more stringent enforcement actions (i.e., formal actions)\nwith respect to significant repeat consumer violations.\n\nReliance on Computer-based Data\n\nWe determined through interviews and information available on the DSC Web site that\nthe DSC SOURCE system is the primary tool DSC uses to track and document\ncompliance examinations of FDIC-supervised institutions. During the audit, we\nconducted limited testing of SOURCE data to determine its accuracy as it related to\ntracking significant compliance violations identified in ROEs. Of the 431 violations\nreviewed in our sample, we identified 1 significant compliance violation that was\nreported during an examination but was not included in SOURCE. We brought this item\nto DSC\xe2\x80\x99s attention. For the purposes of the audit, we did not rely on SOURCE system\ndata. Our assessment centered on reviews of hardcopy ROEs, examination workpapers,\nand other documents such as progress reports and correspondence files. We also\ndetermined that DSC performs internal reviews to ensure that SOUCE data are accurate.\n\nCompliance With Laws and Regulations\n\nWe reviewed DSC\xe2\x80\x99s revised Compliance Examination Procedures (Transmittal\nNo. 2005-035, dated August 18, 2005) to identify guidance for examiners to use when\nassessing an institution\xe2\x80\x99s CMS, which must adequately address (through oversight,\npolicies and procedures, training, monitoring, complaint process, and audit) all areas\nrelated to compliance rules and regulations. For purposes of this audit, we reviewed eight\n\n\n\n\n                                           16\n\x0c                                                                              APPENDIX I\n\nstatutes: EFTA, ECOA/FHA, Flood Insurance, HMDA, Privacy, RESPA, TILA, and\nTISA. We did not identify any instances of FDIC noncompliance with these laws and\nregulations although our audit identified areas for strengthening DSC\xe2\x80\x99s supervisory\nefforts for implementing and enforcing institution compliance with these laws.\n\nPerformance Measures\n\nThe Government Performance and Results Act of 1993 directs Executive Branch\nagencies to develop a strategic plan, align agency programs and activities with concrete\nmissions and goals, manage and measure results to justify appropriations and\nauthorizations, and design budgets that reflect strategic missions. In fulfilling its primary\nsupervisory responsibilities, the FDIC pursues two strategic goals:\n\n  \xe2\x80\xa2 FDIC-supervised institutions are safe and sound, and\n  \xe2\x80\xa2 consumers\xe2\x80\x99 rights are protected, and FDIC-supervised institutions invest in their\n    communities.\n\nThe FDIC\xe2\x80\x99s strategic goals are implemented through the Corporation\xe2\x80\x99s Annual\nPerformance Plan. The annual plan identifies performance goals, indicators, and targets\nfor each strategic objective. DSC\xe2\x80\x99s 2005 Annual Performance Plan contained one goal\nrelated to the scope of our audit -- to take prompt and effective supervisory action to\nmonitor and address problems identified during compliance examinations of FDIC-\nsupervised institutions that receive a \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d rating for compliance with consumer\nprotection and fair lending laws. The Other Matters section of our report discusses our\nreview of this area.\n\nFraud and Illegal Acts\n\nThe objective of this audit did not lend itself to testing for fraud and illegal acts.\nAccordingly, the survey and audit programs did not include specific audit steps to test for\nfraud and illegal acts. However, we were alert to situations or transactions that could\nhave been indicative of fraud or illegal acts, and no such acts came to our attention.\n\nPrior Coverage\n\nIn September 2005, the OIG issued Audit Report No. 05-038, Division of Supervision\nand Consumer Protection\xe2\x80\x99s Risk-focused Compliance Examination Process. The overall\nobjective was to determine whether DSC\xe2\x80\x99s risk-focused compliance examination process\nresults in examinations that are adequately planned and effective in assessing financial\ninstitution compliance with consumer protection laws and regulations. We found that\nexamination documentation did not always show the transaction testing or spot checks\nconducted during the on-site portion of the examinations, including testing to ensure\nreliability of the institutions\xe2\x80\x99 compliance review functions. Also, examiners did not\nalways document whether the examination reviewed all the compliance areas in the\nplanned scope of review.\n\n\n\n\n                                             17\n\x0c                                                                           APPENDIX II\n\n\n                  CONSUMER COMPLIANCE RATING SYSTEM\n\nBy order of the Federal Financial Institutions Examination Council (FFIEC) in November\n1980, each financial institution is assigned a consumer compliance rating predicated upon\nan evaluation of the nature and extent of its present compliance with consumer protection\nand civil rights statutes and regulations and the adequacy of its operating systems\ndesigned to ensure compliance on a continuing basis. The rating system is based on a\nscale of \xe2\x80\x9c1\xe2\x80\x9d through \xe2\x80\x9c5.\xe2\x80\x9d An institution rated a \xe2\x80\x9c1\xe2\x80\x9d represents the highest rating and has\nthe lowest level of supervisory concern, while a \xe2\x80\x9c5\xe2\x80\x9d rating represents the lowest, most\ncritically deficient level of performance and, therefore, the highest degree of supervisory\nconcern. Consumer Compliance Ratings are defined and distinguished as follows.\n\nA \xe2\x80\x9c1\xe2\x80\x9d Rating\n\n An institution in this category is in a strong compliance position. Management is\ncapable of, and staff is sufficient for, effectuating compliance. An effective compliance\nprogram, including an efficient system of internal procedures and controls, has been\nestablished. Changes in consumer statutes and regulations are promptly reflected in the\ninstitution's policies, procedures, and compliance training. The institution provides\nadequate training for its employees. If any violations are noted, they relate to relatively\nminor deficiencies in forms or practices that are easily corrected. There is no evidence of\ndiscriminatory acts or practices, reimbursable violations, or practices resulting in repeat\nviolations. Violations and deficiencies are promptly corrected by management. As a\nresult, the institution gives no cause for supervisory concern.\n\nA \xe2\x80\x9c2\xe2\x80\x9d Rating\n\nAn institution in this category is in a generally strong compliance position. Management\nis capable of administering an effective compliance program. Although a system of\ninternal operating procedures and controls has been established to ensure compliance,\nviolations have nonetheless occurred. These violations, however, involve technical\naspects of the law or result from oversight on the part of operating personnel.\nModification in the bank's compliance program and/or the establishment of additional\nreview/audit procedures may eliminate many of the violations. Compliance training is\nsatisfactory. There is no evidence of discriminatory acts or practices, reimbursable\nviolations, or practices resulting in repeat violations.\n\nA \xe2\x80\x9c3\xe2\x80\x9d Rating\n\nGenerally, an institution in this category is in a less than satisfactory compliance\nposition. A \xe2\x80\x9c3\xe2\x80\x9d rating is a cause for supervisory concern and requires more than normal\nsupervision to remedy deficiencies. Violations may be numerous. In addition,\npreviously identified practices resulting in violations may remain uncorrected.\nOvercharges, if present, involve a few consumers and are minimal in amount. There is\nno evidence of discriminatory acts or practices. Although management may have the\nability to effectuate compliance, increased efforts are necessary. The numerous\n\n\n\n                                            18\n\x0c                                                                            APPENDIX II\n\nviolations discovered are an indication that management has not devoted sufficient time\nand attention to consumer compliance. Operating procedures and controls have not\nproven effective and require strengthening. This may be accomplished by, among other\nthings, designating a compliance officer and developing and implementing a\ncomprehensive and effective compliance program. By identifying an institution with\nmarginal compliance early, additional supervisory measures may be employed to\neliminate violations and prevent further deterioration in the institution's less-than-\nsatisfactory compliance position.\n\nA \xe2\x80\x9c4\xe2\x80\x9d Rating\n\nAn institution in this category requires close supervisory attention and monitoring to\npromptly correct the serious compliance problems disclosed. Numerous violations are\npresent. Overcharges, if any, affect a significant number of consumers and involve a\nsubstantial amount of money. Often, practices resulting in violations and cited at\nprevious examinations remain uncorrected. Discriminatory acts or practices may be in\nevidence. Clearly, management has not exerted sufficient effort to ensure compliance.\nManagement\xe2\x80\x99s attitude may indicate a lack of interest in administering an effective\ncompliance program which may have contributed to the seriousness of the institution's\ncompliance problems. Internal procedures and controls have not proven effective and are\nseriously deficient. Prompt action on the part of the supervisory agency may enable the\ninstitution to correct its deficiencies and improve its compliance position.\n\nA \xe2\x80\x9c5\xe2\x80\x9d Rating\n\nAn institution in this category is in need of the strongest supervisory attention and\nmonitoring. It is substantially in noncompliance with the consumer statutes and\nregulations. Management has demonstrated its unwillingness or inability to operate\nwithin the scope of consumer statutes and regulations. Previous efforts on the part of the\nregulatory authority to obtain voluntary compliance have been unproductive.\nDiscrimination, substantial overcharges, or practices resulting in serious repeat violations\nare present.\n\n\n\n\n                                             19\n\x0c                                                                                                                              APPENDIX III\n\n\n\n                   SIGNIFICANT AND CONSECUTIVE SIGNIFICANT VIOLATIONS CITED FROM\n                                 JANUARY 1, 2005 TO DECEMBER 31, 2005\n\n\n                                                       Number of                Percentage of   Number of\n                                                       Institutions              Institutions   Institutions    Percentage of\n                        Number of                       Examined                  Examined          with       Institutions with\n                          FDIC-           Number of       with                       with       Consecutive      Consecutive\n                        Supervised        Institutions Significant               Significant    Significant       Significant\n                       Institutionsa      Examinedb Violations                    Violations     Violations       Violations\n       Region               (a)                (b)          (c)                    (d=c/b)           (e)             (f=e/c)\n       Atlanta              742               216          187                       87%             86               46%\n       Chicago            1,090               416          341                       82%            180               53%\n        Dallas              987               387          310                       80%            134               43%\n     Kansas City          1,367               590          547                       93%            331               61%\n     New York               602               188          130                       69%             68               52%\n         San\n      Francisco              467               148               92                 62%             38               41%\n        Total               5,255             1,945             1,607               83%             837              52%\nSource: OIG analysis and DSC\xe2\x80\x99s tracking system, SOURCE.\na\n    As of July 26, 2006.\nb\n    Represents examination period January 1, 2005 through December 31, 2005.\n\n\n\n\n                                                                           20\n\x0c                                                                           APPENDIX IV\n\n\n                         CONSUMER PROTECTION LAWS\n\nThe primary consumer-protection statutes and associated regulations discussed in this\nreport are summarized below. There are other consumer-protection laws and regulations,\nbut based on input from DSC, we limited our work to the following:\n\nElectronic Fund Transfer Act (EFTA) \xe2\x80\x93 This Act establishes the basic rights,\nliabilities, and responsibilities of consumers who use electronic fund transfer services and\nof financial institutions that offer these services. The primary objective of the Act is the\nprotection of individual consumers engaging in electronic fund transfers. The FRB\xe2\x80\x99s\nRegulation E implements this statute.\n\nEqual Credit Opportunity Act (ECOA) \xe2\x80\x93 ECOA prohibits creditor practices that\ndiscriminate based on race, color, religion, national origin, sex, marital status, or age.\nThe Federal Reserve Board (FRB) issued Regulation B, which describes lending acts and\npractices that are specifically prohibited, permitted, or required under ECOA.\n\nFair Housing Act (FHA) \xe2\x80\x93 The FHA prohibits discrimination based on race, color,\nreligion, national origin, sex, familial status, and handicap in residential real-estate-\nrelated transactions, including making loans to buy, build, repair, or improve a dwelling.\nLenders may not discriminate in mortgage lending based on any of the prohibited factors.\nThe U.S. Department of Housing and Urban Development (HUD) has issued regulations\nto implement the FHA; the FDIC has issued regulations at Part 338 of its Rules and\nRegulations (12 Code of Federal Regulations (C.F.R.) Part 338) regarding advertising\nand recordkeeping.\n\nNational Flood Insurance Act of 1968, National Flood \xe2\x80\x93 This Act established a\nnationwide flood insurance program and requires the identification of flood-prone areas\nand communication of such information. The bank regulators are to require lenders to\nnotify borrowers of special flood hazards. The financial regulators have issued\nregulations that prohibit banks from providing or extending loans where the property\nsecuring the loan is in an area with special flood hazards, unless flood insurance has been\nobtained. The FDIC\xe2\x80\x99s regulations are at (12 C.F.R. Part 339).\n\nHome Mortgage Disclosure Act (HMDA) \xe2\x80\x93 HMDA was enacted to provide information\nto the public and federal regulators regarding how depository institutions are fulfilling\ntheir obligations towards community housing needs. FRB Regulation C requires\ndepository and certain for-profit, non-depository institutions (such as mortgage\ncompanies and other lenders) to collect, report, and disclose data about originations and\npurchases of home mortgage, home equity, and home improvement loans. Institutions\nmust also report data about applications that do not result in loan originations.\n\nGramm-Leach-Bliley Act of 1999 (Privacy) \xe2\x80\x93 According to title V, Privacy, of this Act,\nfinancial institutions are required to: ensure the security and confidentiality of customer\ninformation; protect against any anticipated threats or hazards to the security or integrity\nof such information; and protect against unauthorized access to, or use of, customer\n\n\n\n                                             21\n\x0c                                                                           APPENDIX IV\n\ninformation that could result in substantial harm or inconvenience to any consumer. This\nAct provides the \xe2\x80\x9cprivacy\xe2\x80\x9d protections covered in our report. The financial regulators\nhave issued implementing regulations. The FDIC\xe2\x80\x99s regulations are located principally at\n12 C.F.R. Part 332.\n\nReal Estate Settlement Procedures Act (RESPA) \xe2\x80\x93 RESPA requires lenders, mortgage\nbrokers, or servicers of home loans to provide borrowers with pertinent and timely\ndisclosures regarding the nature and costs of the real estate settlement process. The Act\nalso protects borrowers against certain abusive practices, such as kickbacks, and places\nlimitations upon the use of escrow accounts. HUD promulgated Regulation X, which\nimplements RESPA. Also, the FRB\xe2\x80\x99s Regulation Z addresses certain residential\nmortgage and variable-rate transactions that are subject to RESPA.\n\nTruth in Lending Act (TILA) \xe2\x80\x93 TILA requires meaningful disclosure of credit and\nleasing terms so that consumers will be able to more readily compare terms in different\ncredit and lease transactions. TILA also protects the consumer against inaccurate and\nunfair credit billing, credit card, and leasing transactions. FRB issued Regulation Z,\nwhich implements TILA. The regulation requires accurate disclosure of true cost and\nterms of credit. The regulation also regulates certain credit card practices, provides for\nfair and timely resolution of credit billing disputes, and requires that a maximum interest\nrate be stated in variable rate contracts secured by the consumer\xe2\x80\x99s dwelling.\n\nTruth in Savings Act (TISA) \xe2\x80\x93 The TISA requires the clear and uniform disclosure of\nthe rates of interest, which are payable on deposit accounts by depository institutions and\nthe fees that are assessable against deposit accounts, so that consumers can make a\nmeaningful comparison between the competing claims of depository institutions with\nregard to deposit accounts. FRB\xe2\x80\x99s Regulation DD implements this statute.\n\n\n\n\n                                             22\n\x0cAppendix V\n\x0c     APPENDIX V\n\n\n\n\n24\n\x0c     APPENDIX V\n\n\n\n\n25\n\x0c                                                                                                                                               APPENDIX VI\n\n\n\n\n                                           MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the\ndate of report issuance.\n                                                                                                                                                  Open\n      Rec.                                                                               Expected          Monetary         Resolved:a             Or\n     Number            Corrective Action: Taken or Planned/ Status                   Completion Date       Benefits         Yes or No            Closedb\n       1            DSC intends to analyze the prevalence and scope of              September 30, 2007       $0                Yes                Open\n                    repeatedly cited, significant violations over the next\n                    year. The substance and level of risk to consumers\n                    related to these violations will be used to evaluate\n                    whether any changes in DSC policies are necessary.\n         2          DSC believes the current policy statement in the FIAP           September 30, 2007         $0              Yes                Open\n                    manual is clear but will reevaluate current FDIC and\n                    FFIEC guidance to determine whether enhancements\n                    or clarifications, if any, are needed.\n         3          DSC intends to analyze the prevalence and scope of              September 30, 2007         $0              Yes                Open\n                    repeatedly cited, significant violations over the next\n                    year. The substance and level of risk to consumers\n                    related to these violations will be used to evaluate\n                    whether any changes in DSC performance goals are\n                    necessary.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as\n                   long as management provides an amount.\n\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                               26\n\x0c"